360 Elite, Eh?

We announced what appears to have been the world’s worst-kept gaming secret!

From my perspective (as an Australian owner of a White Xbox for the last year), I’m not fussed; HDMI is non-present on my current monitor, and I’m quite happy with the VGA cable. Not as happy with the 50hz PAL problem on backwards compatible games, but if HDMI ain’t an option anyway…

It costs about the same amount more as the drive costs, so HDMI looks like the fundamental improvement here:

  • Elite cost $US479
  • Premium $US399
  • Core $US299

Sooo… looks like I’ll just upgrade the drive on my trusty white box at some point. Then again, there’s no movie store here, so… hopefully we’ll be guinea pigs for IPTV instead? 🙂

Every Windows Admin Should Know: Template User vs Mr Nobody

Raymond beats me to the punch (mine was going to be rant-i-er, but five times* as funny), on how the HKEY_USERS\.Default, despite having the word “Default” in the key name, isn’t “The Default User” from which all others are initially spawned.

It’s possibly the most frequent misconception I’ve hit in the user profiles space (which I don’t really work in any more, but did quite a bit for a while there).

I even argue with colleagues about it from time to time; the most reliable way to win the argument is by loading up the NTUSER.DAT in the Default User Profile (that’s the one on disk – C:\Documents and Settings\Default User) and modifying a value there, then creating a new user and noting the new value is part of the new profile. “Ohhh,” they say. “You’re so awesome,” they say. “You look amazing too. Have you been working out?”

Where was I? Ah, right – Raymond calls the on-disk guy the template user; seems like a good name.

My pet name for .Default is “Mr Nobody”. If I thought I could swing it, I’d get the key renamed to .Nobody, but there’s buckleys of that happening.

Windows 95 might have used Mr Nobody differently (back then, called the CancelMan, cos you could log in to the default “profile” just by hitting Cancel at the password dialog, unless… steps… had been taken – anyone else have loads of fun with POLEDIT and the CancelMan in ’95?) in a profiletacular way, but profiles weren’t on by default anyway, so I might just be misremembering and blathering.


Oh noes! They found out our secrets! How!?

Who would have thought that anyone would produce a converter between Office Open XML and any other format? I mean, it’s XML! People can read XML themselves, right?

Why would you ever want to translate an XML format into plaintext, or HTML, or RTF, or CSV, or ODF, or XAML, or Bork, or… anything!?

I mean, what’s the point in publicly publishing the format (and doing this) if other people are just going to go and use it!? It boggles the mind!

I want to publish a website to the Internet. How do I enable Kerberos?

Ya don’t.

You can’t win. But there are alternatives to fighting.

Why Not?

Windows Kerberos doesn’t work in an Internet scenario, it’s intranet-only.

  • the client machine must be a member of the same Active Directory forest as the target site. You just can’t guarantee (or even reasonably require) this for random Internet clients.
  • the client machine has to be able to contact a Domain Controller in that site to get a kerberos ticket. Most folk are understandably cautious about exposing their DCs directly to the Internet.

So Are You Just Telling Me I Can’t Do It? You’re A Bad Person.

Yes, I am, and no, I’m not telling you that – I’m saying it doesn’t work on its own.

It’s not a zero-setup-cost solution, but it is a block-level solution that lots of smaller companies don’t know about or consider – they just switch to Basic authentication, forego the benefits of pre-authentication, and plonk the server in the DMZ.

That “alternative to fighting” I mentioned earlier is ISA Server 2006. You plonk ISA Server into the domain, either as or behind your outer firewall (depending on number of NICs). Then, you use ISA to publish the website. (ISA’s publishing capabilities are laid out in gory detail here).

The website itself doesn’t get put anywhere near the Internet, it gets to stay inside the safer part of the network.

How does that help?

ISA has the capability of authenticating a client connection using Basic (Internet friendly!) or Forms authentication (also Internet friendly!) then performing Kerberos Constrained Delegation inside the firewall. It converts one form of authentication into another. There’s a big document on ISA 06 authentication options here.

Once ISA has converted the protocol to Kerberos, you’re free to do whatever you’d normally do in an Intranet scenario, but only with the nominated website – the website can then use your pre-existing Kerberos delegation setup to do Native Authentication to a SQL Server, or talk to Active Directory, or, well, whatever.

You also gain the not-insubstantial added benefit of ISA being able to pre-authenticate and authorize clients – so that by the time the client even touches your actual website, you know who they are (or at the very least, who they’ve successfully been able to impersonate), and can potentially even restrict the users allowed to hit it to certain groups (keep in mind that this is before they’ve even seen a “real” web page on your web server – you have had to write zero code for this).

ISA’s the same solution we recommend to help secure our premier applications – Exchange and Sharepoint – so why not use it for yours?

Xbox 360 Wireless Receiver for Windows: Installation Experience

“Experience” is a lovely word for a corporate blog. Discuss.

Anyway, my experience was that it didn’t work the first time round. That was at 7pm. it’s now 9pm, and I’ve just finished my first laps around Barcelona in RFactor, using the Wireless Racing Wheel and TrackIR.

Awesome? You betcha! Easy? Not quite what I’d hoped for!

So what can you learn from my experience, dear gamer? Read on…

I’d gone out to buy the receiver this evening – so it’s available in Australia now! – and ended up getting a receiver-and-controller-in-one pack, as the standalone receivers seemed to have sold out quicksmart (and there was much rejoicing among shareholders).

After the by-now-rather-passe strains and cuts endured while opening the packaging/security enclosure/weaponized clear plastic container, I was eager to just plug stuff in!

Reading the helpful green tag on the plug (“Install software first“), I was tempted to just plug it in and let WindowsUpdate do the rest, but I thought I’d Do The Right Thing and, y’know, install the CD it came with.

That Was My Mistake

That, it appears, was my mistake. If you skip to the “After System Restore” section below, you’ll see that the installation can be perfectly painless.

For me, though, it wasn’t. The CD was put in, Autorun selected, and it promptly told me I didn’t meet the system requirements and should check the website.

This I did, and eventually browsed my way over to the Wireless Receiver download for Windows Vista X64.

Note for first-time readers: I run Windows Vista X64 at home on my gaming machine. I’ve never been able to justify this decision rationally, except with the flimsiest of excuses: more bits must be better. (and more registers, and fewer k-mode drivers, and…)

Anyway, I installed the proffered software, it found the wireless receiver and installed a nice Xbox-like indicator accessory thingo.

But no matter what I did, whatever combination of resync-button-mashing or battery removal or unplugging or replugging or… well, anything (there are a massive total of three relevant buttons, the Guide button solely being used for power in this scenario, so there’s not a vast amount of creativity required), the controller’s ring of light would loop, then both the receiver and controller would flash, then the controller would continue all-quadrants-flashing. It was very consistent – sorta the equivalent of “yes, I know you’re there, but I don’t want to talk to you”. Plus, when I was trying to repurpose an existing controller, I’d end up turning the Xbox 360 on all the time.

On the X64 box, I’m running in test-signing mode to get past some semi-signed driver issues, and at the back of my mind, I’m always a little suspicious that something somewhere is working differently because of this. So far, I haven’t found anything that was directly attributable to it, but I live in fear (and with Test Mode printed in all eight corners of my screens).

So, I tried it out on Tiny, my P1610, far, far away from the Xbox. I just plugged in the receiver, and 32-bit Vista downloaded the Wireless Receiver software from Windows Update (Tiny doesn’t have an optical drive), and the controller synced with the receiver. Took about two minutes all up, including resuming from hibernation.

With this in mind, I tried deleting the drivers for the Receiver using Device Manager, but they seemed to reinstall locally and not from Windows Update; an Update didn’t seem to fix it, so I gave up and turned to my old new best friend, System Restore. Back to before I installed the download. This took about five minutes.

After System Restore, I Just Plugged It In

… and this time, it found the drivers directly from Windows Update, installed them in about five seconds flat, and then the controller magically synced itself straight away. The drivers installed for the controller, and whop! It was done!

I haven’t yet downloaded the Accessory thingo again (the thing that does the Xbox-style on-screen Ring Of Light) again, but it’s on the back burner.

Now, I might have seriously stuffed something up early on. I was going to add “but I don’t think so”, but it’s pretty obvious that I did, barring a faulty download or something.


Anyway, moral of the story this time is: Just plug it in and let Windows Update do the work for you, if you’re running Windows Vista X64. And x86, for that matter, based on my similarly-good experience with Tiny.

Now, all my Wireless devices are happy to chat to the receiver (reminds me, I haven’t tried the headset yet…) and I’m happily playing RFactor with a real wheel!

Yep – works just like the original headset with a wired controller (as a separate audio device in Windows), only it’s wireless! Cool!

As they say in Jamaica*, w00t, m0n.

Anyone else have problems, or did it Just Work for y’all?

[Update 3rd March] – the receiver stopped working again on the restart after the more-recent Accessories installation. System Restore-ing back to just the bare drivers worked again; I’m going to try a couple more reboots to see if it’s a reboot thing in general, or just an Accessories thing.

NLB Ain’t Application-Aware

It’s been ages since I touched on anything wibbles-related, but I realized I’d neglected a very common query:

If one of my applications is under load, will Network Load Balancing route/move/transfer all the additional load to the other server?

No. As long as the box still lives (or more specifically, the NLB driver is able to send heartbeats and receive incoming IP traffic), NLB will keep on allowing connections.

The load rules are used to govern the rough percentages of connections, but any web developer will tell you that connections don’t necessarily map to load.

From NLB’s perspective, it doesn’t even matter if your application isn’t running any more. It’s simply there to filter out all the traffic you don’t want to hit that machine. (Recall that getting NLB working basically means fire-hosing all incoming traffic at all members of the NLB cluster, and relying on each node to know which bits of traffic to ignore, and which they “own”).

For Terminal Servers, this means that if one TS is overloaded and can’t accept any more connections, NLB doesn’t know or care. IIS is similar – if one Web app is chewing 100% CPU, don’t expect connections to be balanced to another server based on that fact alone.

This leads to the existence of health-monitoring utilities that will pull a box from an NLB cluster (i.e. DRAINSTOP it) if they detect a problem with a key app (much as ISA Server 2006 and 2004 do when they detect a problem with an array member).

Technet describes this in more detail here.

(Thanks to ‘softie Daniel Taylor for digging up the relevant links and mailing them to me.)